Roger Nebel, director of strategic security for Washington D.C.-based FTI Consulting, said fines will almost certainly be imposed on TJX because it was clearly negligent in holding onto unencrypted cardholder data, a direct violation of the PCI DSS.
The breach was worse than first thought, TJX officials admitted last week. The company initially believed that attackers had access to its network between May 2006 and January 2007. However, the ongoing investigation uncovered evidence that the thieves also were inside the network several other times, beginning in July 2005.
What not to do
Nebel and other PCI auditors said the breach offers some clear examples of the wrong way to treat sensitive data under the PCI DSS.
The standard sets out 12 basic security requirements, emphasizing the need for encryption, access controls and firewalls. Penalties for noncompliance range from fines of up to $500,000 to increased auditing requirements or even losing the ability to process credit card transactions.
Under the standard, Level 1 businesses -- those that process more than six million credit card transactions per year -- are subject to an annual on-site audit and quarterly network scans performed by an approved vendor. Level 2 or 3 companies that process 20,000 to 6 million credit card transactions a year must fill out an annual self-assessment questionnaire and must also have an approved vendor conduct quarterly network scans.
TJX violated basic rules
In recent interviews, several PCI DSS auditors noted that while most of their clients are achieving PCI DSS compliance, many have been forced to address serious problems along the way. When reviewing what merchants are doing to protect their customers' credit card data, auditors are typically finding that:
- Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others.
- Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from traveling across less secure parts of the network.
- Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data.
- Some companies don't conduct regular scans for software vulnerabilities and abnormal activity.
- Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA discovered their controls were not adequate to meet the PCI DSS.
At the very least, TJX violated the PCI DSS by storing unencrypted cardholder data, said James DeLuccia, an independent auditor based in Atlanta, Ga.
"Credit and debit card data is something the PCI Security Standards Council will be concerned about," he said. "You're not supposed to store that kind of data, and [TJX] had it online and unencrypted."
Price will be steep
Nebel and DeLuccia said TJX will pay a high price for the breach. So will the banks that do business with the retail giant.
"You have to remember how this works -- Visa and MasterCard only have a direct relationship with the member banks," Nebel said. "They can only fine the banks."
The banks though will almost certainly pass the fines on to TJX, he said. There is a process where violators can try to recover the fines, but Nebel said the bar is set pretty high.
"Before any fines are levied, Visa and MasterCard will require a forensic investigation to determine the extent and culpability," Nebel said. "The merchant must show that there was information not available to the forensic examiner that somehow shows they are not responsible."
Nebel said he's never heard of any fine being reversed.
He also said it's unlikely the public will hear details on the fines levied against the banks or TJX, and it can take anywhere from a few weeks to a few months for the forensic investigation to determine the scope and causes of such an incident, if they can be determined at all.
But in the end, DeLuccia said, TJX will end up having to spend a lot of money to put the issue to rest, namely due to numerous fines and fees, legal and otherwise.
"There's no question that 40 million accounts had problems," DeLuccia said. "The affected credit cards alone cost $25 each to re-issue. So the bank could say, 'Hey, it cost us $25 per card to re-issue 200 cards, and we're passing the bill to you.'"
TJX will also lose money from civil lawsuits, and for having to hire security firms to overhaul their systems, DeLuccia said, adding, "Even without punitive fines, they're still paying dearly."
Lessons to be learned
Fortunately for other companies, the TJX case offers plenty of lessons on how not to approach the PCI DSS, the auditors said.
Joseph Krause, senior security engineer for Chicago-based AmbironTrustWave, said companies first have to get a fix on where customer data is on the network, where it travels and whether or not it's encrypted.
"Understanding where the data is and where it goes is a challenge for some, but it's a very important part of PCI DSS," he said. "If you don't know where your data is traveling and where it is stored, you can't secure it."
Krause also said companies also have to be sticklers for network monitoring.
"Usually when we see an environment for the first time, we find they are deficient in this area," he said. "Just being able to help them understand which logs they need to have a close eye on, on a daily basis," is a lot of work.
Finally, companies need to understand that there's no single product or service that can alleviate an enterprise's PCI DSS compliance woes. Every business and every network is different, and PCI DSS controls must be tailored to an organization's particular make-up.
"I tell clients it's not an easy process and it is an educational experience," he said. "The requirements for every company on the path to PCI compliance are quite different.
"There's no one-size-fits-all approach."